Social engineering: Bad people tricking good people

U.S. Office of Personnel Management computers were breached last year using a social engineering scam. Photo from New York Times report, "Hacking of Government Computers Exposed 21.5 Million People," 7/9/15

U.S. Office of Personnel Management computers were breached last year using a social engineering scam. Photo from New York Times report, "Hacking of Government Computers Exposed 21.5 Million People," 7/9/15

Social engineering is the psychological manipulation of people into performing actions or divulging confidential or sensitive data for the purpose of fraud and/or system access. It is often difficult to identify the attacker because it is just one layer in a sophisticated hacking scheme.

Whenever someone has information about us, we are more likely to trust them. One type of social engineering scheme, referred to as "spear phishing," uses an email sent to a particular person inside an organization and tailored to appear as though it had come from a contractor, bank or other trustworthy source. Instead, such emails contain a link which, when clicked on, lead to malware that is downloaded onto the person's computer or device. From there the remote access tool – or RAT – is employed to hunt through the computer network or even infect other people's computers. Approximately 70% of cyber-attacks on businesses involved social engineering schemes.

Social engineering schemes really hit the radar screen in 2013, when Target customers found out that information was stolen from 40 million credit and debit cards. Investigators suspect the attackers initially gained access to Target's network using credentials obtained from a HVAC subcontractor via a phishing email that included the Citadel Trojan. Target has worked for 3 years to settle the financial damages caused by the breach which is estimated at $162 million (after insurance reimbursements). The lesson learned in this case is to require better security from third-party contractors and limit the network access those parties are provided.

One of the most shocking data breaches in the past year affected the U.S. Office of Personnel Management. Personal information for about 21.5 million people was stolen, including Social Security numbers and some fingerprints. The New York Times reports that “every person given a government background check for the last 15 years was probably affected” and “hackers stole ‘sensitive information,’ including addresses, health and financial history, and other private details.”

While social engineering schemes are difficult to prevent entirely, there are a number of steps you can take help avoid these types of data security attacks:

  • Create a culture of security in your organization. Educate your employees and implement a data security policy.
  • Be sure that all your system patches are up-to-date. (Sinu does this automatically for its customers.)
  • Use the best anti-virus software. While anti-virus software cannot eliminate social engineering schemes, it can help mitigate its effects and that of other malware. (Sinu monitors the market closely to adopt new security products as technology evolves.)
  • Reduce and control local admin rights.  
  • Commit to strong passwords. Change passwords every six months and use two factor authentication whenever possible. (See Sinu blog for more detailed information on creating strong passwords.)
  • Learn to identify spoof emails. (See our blog on this topic.)

Whether it is through malicious emails or fraudulent phone calls, social media has made social engineering schemes easier. From finding out your work history on LinkedIn to knowing the names of your friends and family on Facebook, it is easier for hackers to use details from your personal life to gain your trust. The key is to be diligent and train yourself and your employees what to look for and how to avoid situations that put your valuable data at risk.

For more information about data security, download our brief, Oh the humanity: The role people play in data security.